Solved

ISA 2006 Client\User Certificates Issue...

Posted on 2006-11-17
11
813 Views
Last Modified: 2013-11-16
I was wondering if the statement below is true for ISA 2006, as it was in ISA 2000 and I believe ISA 2004?

 

If you’ve tried to allow users to authenticate with the Incoming Web Requests listener and the internal network Web server, you’ve realized it doesn’t work. There is only one way to get authentication to work on both the Incoming Web Requests listener and the Web server on the internal network. The only scenario that allows authentication at both the ISA Server and the internal network Web server is when the Incoming Web Requests listener uses client certificate authentication and the internal network Web server uses Digest, Integrated or Basic authentication.

 

Is this the only scenario that requires the use of client\user certificate authentication for any version of ISA?

 

 

   It looks like in ISA 2006 as long as we have SSL bridging on we can secure communications via SSL from the ISA server to the web server too, as well as or in addition to configuring a secure SSL connection from the web-client to the ISA server itself via the listener. Seems like in ISA 2006 you don’t need dual authentication, both at the ISA and at the web server to have full end to end SSL.

 

Is that now true in ISA 2006?

 

Or has this always been possible in all versions of ISA?

 

More to the point does it hold on all versions that for dual authentication you must use client certificates?

 

Meaning is it the only time client\user certs are required?

 

But if you don’t want\need dual authentication, meaning just authenticating at the ISA, can still have end to end SSL on ISA 2006 without the use of client certificates?

 

{is it also true for ISA 2004 and 2000?}

 

Also in the scenario where no client\user certificates are involved does ISA never then need to communicate with a CA to verify certificates via a CRL to maintain\ employ end to end SSL?

 

 Because at this point our certs on ISA show as invalid or expired, as we are not allowing any web traffic from ISA out.

 

I know there is a CRL http rule out, but not sure if we need to allow that with web clients just authenticating at ISA and not the web server too? i.e. dual auths

 

In the scenario where authentication takes place only at the ISA listener does it matter that we have not allowed access to the web to access CRL data?

 

 As I know that a cert is considered invalid if not verified against a CRL, {why our ISA certs have a red X, i.e. show as invalid\expired}but it none the less does match the certs on the web server, which themselves unlike the ISA server do not have a red x on the cert, as it can verify the cert because it has web access.

 

Do we need to allow a one time {or continuous} access to a\the CRL site to get the red x off the ISA certs if were only authenticating web clients once via the ISA listener for end to end SSL?

 

Paul…

 

0
Comment
Question by:inuic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
11 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17967801
First, please do not leave all that white space between your comments, makes it a nightmare to read through.

In 2004 and 2006 you had the option of either tunneling SSL or bridging it. many people prefer tunnelling whereby you only have the cert on the web server and ISA tunnels the traffic directly through to the web server. Upside, cert only on the web server, downside is that ISA cannot filter the traffic as it cannot decrypt (see inside) the ssl tunnel and so cannot see what the traffic is to accept/reject it.  ie its just a conduit.

the bridging option comes in a number of flavours.

SSL outside to ISA (needs cert on ISA) --- bridge SSl from ISA to web server (needs another cert on web server)
SSL outside to ISA (needs cert on ISA) --- bridge http from ISA to web server (no cert on web server)
http outside to ISA (no cert on ISA)      --- bridge http from ISA to web server )no cert on ISA)
http outside to ISA (no cert on ISA)      --- bridge SSL from ISA to Web server (needs cert on web server)

View the certificate, red x normally means it has failed one of the criteria. Fully Qualified Domain Name (FQDN), out of date, non-authorised certificater etc. Have you imported the certs into the certificate root on ISA also?

Keith

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17967818
Also, who is your certificating body?

you can add them to the list through the ISA system Policyhighlight the ISA firewall policy.
At the top of the ISA screen, a set of icons appear. hit the last one on the right and it toggles on/off the system policy rules. Towards the bottom of these are the allowed CR sites etc. edit this and add as necessary. Apply the policy then hit the toggle icon again to get rid of the them from the list.
0
 

Author Comment

by:inuic
ID: 17968014
My main question is about Client\User Certificates, and if they are needed\required for full end to end SSL? It looks like you can have end to end SSL and just use bridging and not employing the extra step of user certificates. Is this just tunneling? In order to have statefull inspection of whats in the SSL tunnel do you need to use user\client certificates? If I dont require authentication at both the ISA server and the Web server and just at ISA and have SSL from the client to ISA, and bridge SSL to the Web server from ISA, is that just SSL tunneling? i.e. not statefull inspection of the data in the SSL tunnel?

Which scenarios allow statefull inspections of whats in the SSL tunnel, when using end to end SSL? Does it require client\user certificates? i.e. dual authentication at both the ISA and web server?

If I just requre authentication at ISA and still brigde SSL to the web server is that just SSL Tunneling?

Im not sure my question\s were really answered by the previous comments. But thanks for the input.

Paul...
P.S. I left white space for room to answer my individual questions, as there were many...
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17968079
OK, one at a time here..... :)

To perform SPI through ISA you need to bridge, period. Tunnelling means that ISA cannot see what is in the tunnel as its encrypted and acts simply as a carrier for the traffic, not a monitor. ie the client makes the ssl tunnel from their browser directly to the end web server. SSL tunnelling on ISA means it acts like a railway tunnel, the traffic simply passes through as in a conduit.

Bridging means that ISA terminates the connection from the client regardless of whether it is ssl or http. It then opens its own connection between itself and the web server. In this condition it can check the traffic as it has decoded what has come in (and identified it) before repackaging it again for transit to the web server.

Most organistaions use SSL between the ISA and the outside client and then use http (bridge) to the internal web server. Saves on certificates and is the simplest method with the exception of tunneling straight through.

When you click on your certificate and choose the view option, what does it say has failed?
0
 

Author Comment

by:inuic
ID: 17968089
P.S.

   I have imported the certs into the certificate root on ISA. But we allow no web traffic out, hence the CRL site can not be contacted to verify the certs on ISA. Is that why they have a red x? The same certs on the web server have no red x. I imported my certs to ISA from the web server. To verify the certs on ISA {remove red x} do I need to allow ISA access to the CRL site? We are using verisign as our CA.

Paul...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17968109
Sorry, have I been at a tangent here? Yes, ISA will need to contact the site; by default ISA can not talk to much. If you do not want ISA to have general web access then use the option I mentioned above to give limited access.

<<< you can add them to the list through the ISA system Policyhighlight the ISA firewall policy.
At the top of the ISA screen, a set of icons appear. hit the last one on the right and it toggles on/off the system policy rules. Towards the bottom of these are the allowed CR sites etc. edit this and add as necessary. Apply the policy then hit the toggle icon again to get rid of the them from the list. >>>
0
 

Author Comment

by:inuic
ID: 17968121
How do you configure just SSL tunneling, that is end to end SSL with no bridging then? I know how to do bridging it seems, but still am confused as to when a user\client certificate comes into play? This is more complex then I had hoped...

Paul
0
 

Author Comment

by:inuic
ID: 17968159
We were able to access the internal web server over SSL even though the certs in ISA have the red x on them... Is that one way its allowed to work. Is it that if I want to use client\user certificates in conjunction to what I am already doing I need to get rid of the red x's on my certs in ISA?

Paul
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 125 total points
ID: 17968221
Maybe it is simpler if I give you some links to check through. I am doing a couple of ISA2000 questions at the moment so cannot get to the screens i need to give you the exact option.

here is the difference between tunnelling and bridging
http://www.isaserver.org/tutorials/Understanding_SSL_bridging_and_tunneling_within_ISA.html

These are the links I post generally to people to explain the process, it may give you the answer you are looking for.
http://support.microsoft.com/default.aspx?kbid=837834&product=isas2004
http://www.microsoft.com/technet/prodtechnol/isa/2004/help/FW_SecureWebPub.mspx?mfr=true
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/publishingwebservers.mspx
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ts_proxy_traffic.mspx
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/tscerts.mspx

I know you are on 2006 but the process is the same

0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question